Thank you for watching.
Thank you for watching.
Thank you for watching.
Thank you for watching.
Okay, we're going to be talking, if you've seen this, saw this last year, and you haven't taken any of the changes we've talked about, stick around.
If you went back and you took all those suggestions, recommendations that we talked about last year and implemented those, you're probably all right.
What we're going to do, this is very similar to what we talked about last year.
There's a couple of new things.
There is one big difference with this.
One big difference is that we're announcing one week from this weekend, we're going with full disclosure.
So last year we went with limited disclosure in order to make sure none of you guys got hurt.
If you didn't pay attention, you didn't go out there, you know, you got one week to get your act in gear.
Lotus has done nothing in regards to this except try to downplay this.
So this is why we are doing this now.
They've had over a year to get ready.
They're acting here and they haven't done it.
My colleague, Chris Goggins, unfortunately is not here today.
So it's just basically going to be me.
Bill's up here.
This isn't Chris.
Yeah.
So I'll be doing the whole thing through here.
So we'll try to give you a break.
When we get halfway through here, I'm going to ask you if you guys want a five or ten minute break.
I know it's really hot up here.
But hopefully we won't take this long that what we've actually got up here.
We kind of ran over in Black Hat.
Hopefully we can get through everything this time.
When we did this presentation at Black Hat, we were kind of short on time.
We had a whole bunch of questions.
Feel free to ask any question you want.
But let's try to make it kind of quick.
Actually, if you have a question, because we've got fans and everything else,
what I'd like to do, something different, is come down one of the aisles.
Just come down one of the aisles.
Get up and come on down so that I give you the mic.
You ask the question and we'll go from there.
Does that sound cool?
All right.
So general introduction.
Trust but verify.
We said this a year ago.
You need to go through here and verify everything that you've implemented in Notes and Domino.
A lot of the stuff you're going to be seeing today, you've probably already heard about.
You've already seen what the likes of Exchange,
Outlook, a lot of the things we're going to be talking about, very similar.
It is the same type of functionality you can actually do in Lotus Notes.
Unless you're running on this guy's network over here.
Go ahead.
After our initial presentation last year, if you saw that, Lotus had actually agreed.
Do we actually have any Lotus people?
One?
All right.
Ready?
I'm going to be picking on you all day today.
I don't know where you work, but I'm not actually trying to pick on you personally.
I hope you won't take it that way.
But a lot of the stuff we talked about last year was supposed to stay up on their security zone part of the website,
which is actually lotus.com slash security zone.
And it came down, I think, about two months after our talk, which was really disappointing,
and I think it was an injustice to the community, both the security community and the Notes community.
When we go full disclosure, there's actually, let me tell you something.
After we did, we went with limited disclosure last year.
So we basically gave you a whole bunch of recommendations to secure your environment.
We didn't really publish the exploits.
We didn't want to arm a bunch of script kitties.
I had about five people email me who were able to understand what we were talking about,
and they were able to duplicate a lot of the things, the exploits that we had presented.
And a lot of them have been very kind of antsy to go public with this, some of the stuff they're working on.
There is a guy, his name is Koaxal Karma.
He has a website called landofsilence.com.
He's actually, will probably be publishing a brute force attack.
There's another company, or an individual within the company,
I don't actually have permission yet to mention who he is,
but he's also working on a brute force attack.
Password, brute force attack.
I believe Land of Silence will probably be publishing that within the next few months,
their brute force attack.
So you need to really make sure that...
Yeah, that's okay.
We're going to go like this.
Yeah, that's all right.
So we're going to do this presentation one more time.
If you didn't catch it last year, here we go.
All right.
So how big is Notes?
It's really big.
Last year when we talked about this, I think it was 50 million.
It's now 70.
It's above 70.
70 million corporate users.
There's a new version, R Next.
There's a couple of new beta version releases which are out.
You can download them.
Supposedly the problems with the password authentication we talked about last year,
we're supposed to make it into this.
I've yet to actually see it.
But in regards to what Lotus Notes is, if you're not familiar with it, how many people
are not familiar with Notes?
A whole lot.
Okay.
Well, Lotus Notes is a totally integrated groupware platform.
If you're familiar with Exchange, Notes is probably a bit more integrated than Exchange
or a lot of the competing products out there.
You can do all sorts of the stuff that you see up here.
You've got the formal language.
You have the Lotus script.
Lotus script is very similar to Visual Basic.
You've got JavaScript, Java, C++.
You've got the APIs in there.
Yeah, you can't actually compile C programs in there, but you have C and C++ APIs in
there.
How big is it?
Who's using it?
Everybody.
Big six accounting firms.
Half the big six accounting firms are using it.
Most of the financial sector is using it.
If you're a bank, you probably know what I'm talking about.
Multinationals, pharmaceutical companies, it's all up here.
Why are they using it?
Because Lotus Notes actually has a really good reputation historically for being a
secure platform.
It's actually based on a public key infrastructure for both terms of authentication and encryption.
You can encrypt at the document level, at a field level.
At the network protocol level, it's pretty powerful.
It actually was a good goal to shoot for, but there's still a few problems with it.
In terms of access control, you can actually set access control at the field level, the
document level, and the database, and historically, until last year, there were extremely few
vulnerabilities.
There's been some new ones, and I'm not actually going to talk so much about that.
I've mentioned a couple of the guys who've worked on it.
There's been some guys who've actually, if you've gone on bug tracking, they've actually
been working on analyzing the network protocol that it's using.
They made some interesting discoveries there.
Release five, we saw that Lotus dropped the support for the Unix platforms, which was,
I feel, was unfortunate.
It runs on just about everything, and that's one of the strong features of Lotus.
With Microsoft, you've got basically one choice.
With Lotus, you have lots of choices, and there's a lot of companies, a lot of organizations
that make use of that.
Same thing with the servers.
Go ahead.
I'm out.
Go ahead.
Did anyone see ... I may get in a little trouble here with somebody.
Did anyone see ... I may get in a little trouble here with somebody.
Did anyone see Bruce Schneider's talk at Black Hat?
How many of you agreed with him?
How many disagreed?
Okay.
I saw only a couple of hands.
I don't agree, and I didn't get the opportunity to go up and tell him yet.
I've got some friends that actually work within his company, and hopefully I'll be able to
make my objections known to him.
One of the problems I ... One of the reasons I disagree on this ...
Is that, to me, security is much more like a vaccination.
We don't try to control AIDS after you've got it.
It's too late, then.
I don't try to control other diseases.
I don't think you should be trying to control security.
I don't think you should be throwing money in the street and relying on detection and
response.
I believe prevention is crucial.
Okay.
I'm sorry?
That's what a lot of us got.
Prevention is ... He stressed that it was more important, if I'm not mistaken, prevention
was lesser of an importance than detection and response.
Yes, but he used the excuse, or he used the judgment of good detection and response can
make up for bad prevention, or no prevention.
I don't agree with that.
The detection and response is a lot easier and faster.
Well, a lot of that, and I understand that, and it sounds good, but it's kind of like
viruses.
Detection and response is possible, and it's good when you know what you've got to detect
against.
You'll see in some of this demonstration, like in terms with lowest notes, how can
you detect things that you haven't yet witnessed?
When we presented this last year, there was a lot of things.
One of the new things we started investigating is that notes actually supports direct translation
to the XML from the web server, so you can actually start pruning through a web server
running on Domino and requesting XML documents.
Most companies which use the logging facilities of Domino's filter out only what they want
to see, HTML documents like that, such and such, and other things which look like attacks.
XML would get discarded in their logs.
If you're discarding things like XML requests, or you don't even know about XML requests,
how many people actually know that you can pull XML straight from the web server?
Yes.
All right, the rest of you are victims for this, so how could you justify good detection
and response on something you don't know about?
I mean, prevention is really key here.
You have to rely on all three, but you really first have, you know, it's like peace accords.
You have to have peace accords with other nations to keep a war from starting.
If you just sit around with a whole bunch of weapons, it could be too late.
So all three are really important.
I don't think that you can just base, go off and leave prevention out of the picture
because you have good detection and response.
All right.
Well, this was my example, I've already said it, but using the farming and vaccination,
because this is what the U.K. did with foot and mouth, detection and response.
And how many animals were killed?
Does that mean it's right?
Okay.
I mean, how many animals were culled?
I live in the Netherlands.
I watched all this.
You know, fortunately, the government of the Netherlands looked at this and said, this is bollocks.
And they immediately went to prevention.
They immediately started vaccinating everything.
And a whole lot of animals were saved.
So prevention is, you can't just totally throw it out the window and rely completely on detection and response.
So that's the point I'm trying to stress.
Because we have the same thing in security.
How many servers do you actually want to lose?
Because if you don't know what you're looking for with detection and response,
and you're not using strong prevention, you'll lose a whole bunch of systems, servers,
datas before you can actually integrate that into your detection and response.
So strategically, and this is one of the things I said in Black Hat, we really have to stress this,
because already we're starting to see some of the repercussions.
People don't trust e-commerce.
People aren't using e-commerce.
Sure, some of it may have to do with the fact that there's a lot of dot-coms out there that should have never been out there to begin with.
But overwhelmingly, there was actually a poll just done.
And this was actually while Black Hat was going on, and it was tech TV,
and I may get the percentage slightly wrong, but I'll get somewhere from the neighborhood.
What they were saying, they'd actually just done a poll of users on the Internet.
And currently right now, something around 80%, 85% of all these users that they surveyed
were looking to see government regulation of the Internet for security and privacy.
Now, of all these 85%, which were wanting to see government regulation for terms of security, privacy,
something like 75% of those surveyed had incomes of $30,000 or less.
So I'm not trying to pick on you if you make $30,000 or less.
That's not the point.
But typically, generally, I'm generalizing, and whenever I'm generalizing, I'm lying.
Generally, if you're making $30,000 or less, you're probably not a hardcore IT employee.
You're probably not familiar with everything that the rest of us are.
And in the security marketplace, we have three different, got a couple of things to consider here.
We have the supply side, we have the demand side, and we have threats.
On the supply side, I would say, of all the security consultants out there,
and again, I'm not trying to pick on anyone here, we have 80% which really stay on the surface.
A lot of these are some rather big names, unfortunately.
But they're general security consultants, and they understand the principles.
They're not hardcore technical security consultants.
Probably 20%, if that.
Are really hardcore.
On the demand side, we have 80%, which historically, up till now, I've been considering security as a non-issue.
And if you don't agree with me, then you're probably not a security consultant.
I've been out there, I've been bashing people, I've been bashing companies trying to get into the door,
talking to them about security.
After we did this presentation last year, the company I had founded two years ago,
we did this presentation last year,
and we probably had five clients
five to ten clients for Lotus Notes security and Domino.
We probably, in the first month, we probably caught over 200.
So that percentage of the clients, you know, maybe somebody else got them.
Okay.
But I don't think that there's a whole lot of experienced Domino security consultants out there.
And right now, with the failure of the dot-coms, we're seeing a whole bunch of motivations which are increasing.
We've got international conflicts.
I was talking with some of the guys from ISS Taiwan.
They were saying that they see 40% of their attacks are coming from Asia.
Another 40% is coming from Europe.
About 10% are only coming where they're located at.
Only about 10% is coming from the United States.
So they're seeing a whole lot of activity over in Asia and Europe,
which some of you may be able to relate to.
There's a lot of corporate espionage going on.
Tons of ex-employees with nothing else to do.
They're disgusted. They're bitter.
We all know the stats that 80% of most security breaches come from disgruntled employees or from the inside.
And everyone's got increased bandwidth.
I've got a one megabit pipe into my house where a year ago I didn't.
I'm sure a lot of you probably even have more.
So how many of you actually are running 508, Lotus Notes and Domino?
507?
6?
Who's not running 503 or greater?
Are you running a web server?
Are y'all?
Do you know about the directory traversal attack?
Okay.
And I assume that everyone here has a security PSPG implemented.
All right.
We've really got to take this stuff seriously.
If we want to see this economy to turn around,
this isn't technical, I know,
but this is something I really believe in.
If we want to see this economy turn around,
we've got to start taking some of this stuff seriously.
If we want to see the whole everything on the Internet,
all the growth, spur more growth on the Internet, e-commerce,
we're going to have to take this much more seriously.
If you don't identify your problem, somebody else is going to.
And a lot of times I've gone out to these clients and they're talking about,
you know, well, you're a security consultant.
You're supposed to solve my problems.
But you only bring problems to me.
I didn't create the problems.
I'm just, I'm helping you identify them.
One of the things, and if you're a consultant, I'm throwing this out,
just, you know, this is why we're using the vaccination as an example.
I've found that I've had a little bit better success trying to explain this to people,
for the people who look at me as the creator of security problems in the notes world.
I didn't create it.
Like I said, I didn't create any of this.
Just identifying it, just like the doctor identifies a virus.
Good.
So we're going to talk about the client side for this first half before the break.
And there's the four things which you probably remember if you saw this before.
If you haven't, we have these four things, the stored forms, the execution control list.
The execution control list, if you're not familiar with it,
it's to prevent,
potentially hostile code from running with inside your notes environment,
or being at least launched from there.
We have the password hash problem.
We've still not seen any resolution to this, really.
There is a small something that you can do.
And if you haven't actually done it, which we'll get to, you need to get done this week.
Go ahead.
And then the last half, we're going to be talking about access control list of databases.
One of the things that we have been doing in the Black Hat, the Win2K,
in February Black Hat Asia, we actually did some demonstrations.
They don't have the network up here, and I have some ethical problems about doing it.
We did a couple of demonstrations while we were in Asia,
but one of the things is what we called creative surfing.
And this is very, very easy under Domino.
You can start extracting information from notes databases running on Domino servers,
if they're running a web server.
Most people which have either developed internal applications on Domino
or third-party applications have not undergone a serious security review of the design.
And this is causing serious problems with those databases.
Did anyone see the California Democratic Party?
It's a news story.
They were running a Domino server.
They had actually were accepting campaign contributions.
Bob Sullivan on MSNBC had covered this.
The California Democratic Party was running a Domino server.
They did not conduct a thorough investigation into the design of those applications on their Domino server,
but they were accepting credit card contributions for campaign contributions
on their website.
And people could go in there and just retrieve all the credit card information,
which I'm sure was really interesting to the Republican Party.
Okay.
Go ahead.
So we have the stored forms.
How many people do not understand this?
Because if nobody raises their hand, I'm going to skip this.
So how many people do not understand the notes database structure?
Okay.
All right.
Well, with the notes in the database, you have three different parts here.
You have the data.
You have the forms.
And you have the stored forms.
In regards to the data, it's structured data.
In Release 5, we had the addition of HTML.
Before that, it was just rich text.
In Release 5, you now have the native.
It can be stored as native HTML.
And this, you can include Java and JavaScript in that HTML.
On the forms, since the data is arbitrary, it's just structured data,
it's not very convenient for people who are interfacing with the notes
to be able to look at a document, pull out the data that they need,
or for entering data.
So you have forms.
And this is similar or akin to an HTML form that you fill out.
It's actually how it structures that data.
It's how it presents it to you for you to use.
Back up.
And you actually have something else called stored forms.
And this is where you can actually put the stored form within a notes document
for transmission to another database somewhere else.
So that if that database does not actually have that form that you need to view the data,
since the form is integrated into the document,
when you open that particular document, you'll be able to pull it up
and see it the way it was intended to be viewed.
One of the reasons I have this, the stored forms,
is a lot of document management applications make use of this.
I'd say probably at least 70% of the third-party applications
you can pick up on the market from business,
Lotus business partners, are using stored forms.
And this causes a big problem when it comes to the security
because the stored forms can actually contain executable codes.
So when you pop open that document,
the code that's in the stored form will actually execute.
And stored forms, this is an important point,
stored forms, by default, are enabled on almost every database,
especially your mail files.
By default, it is enabled.
And if you're running a mail server,
and the mail server actually has Internet access for Internet mail,
we'll do a demonstration here,
and you can see where you can have a lot of fun with that.
So we're going to do this demonstration here real quick.
So to explain what I've got here,
unfortunately, since Chris isn't here,
and I'm only running on one laptop here,
I actually had not configured this with advanced services and time.
I'd expected Goggins to be here
and thought we could actually set up an SMTP environment
that was going back and forth so you could really see this.
Those stored forms can actually be transmitted over the Internet.
And this is where I'm talking about.
So you'll have to bear with me and trust me
when I say that this is actually possible.
We actually have a server running here,
and I've got a client which I'm going to use,
switch back and forth to simulate several different users.
The user I'm actually going to be using here is...
You can't really see this,
but it's actually called Dutch Slachtoffer.
And that's kind of...
Since I'm in the Netherlands a lot,
we've been using Dutch names for some of this stuff.
So to give you a quick example here,
or let you know what the configuration of this user actually is...
This is his execution control list here.
And you have a couple of settings here which are important.
If you're not familiar with this,
you have a default setting and a no signature.
And the no signature is for any embedded objects
which have no note signature attached to them.
Typically, these are things coming from the Internet,
since things like Outlook
until previous versions of Outlook and everything
have not been using the same type of...
The words have forgotten me.
Same type of signature.
That Notes is using.
Typically, this will come across an SMTP server.
It has no signature actually associated...
No note signature associated with it.
Default is anything that's within your own organization
and has not been explicitly defined.
It's the lowest level within your own organization.
So I just wanted you to see that all this stuff is turned off here.
And you have a couple of different settings here.
These are...
As of 5.03, these are pretty much the default settings here.
Before these things were coming with everything enabled,
and I believe it was in 5.03 that they finally...
Lotus finally did change this.
But there's still problems associated with this.
Let me switch to the attacker.
What we're going to do is we're going to send across a stored form.
So I've actually got already a menu option here,
which creates the stored form with the code in it.
So I'm going to use this to create...
Which I'm really...
Glad I did because using the quality of these projectors is just nasty,
and I wish we had something better so you could actually see this.
I'm actually just filling out the address for Dutch Slachtoffer.
And I'm not going to put anything else in this email.
Just so you can identify it, those are all sevens.
So we'll shoot this off.
And if you look at the bottom of the console screen down here
towards the bottom, you'll actually see this go across
and get deposited into the victim's email account.
So we'll switch back here now.
So is anyone familiar with Bubble Boy?
Okay.
This is basically Bubble Boy recreated.
What I'm going to do, there's no actual attachment in this.
This email, although the user can't see it,
it actually has a stored form within the email.
And this is similar to what Bubble Boy actually did.
So the second I hit enter, what happened?
Where'd it go?
Now, maybe you would look at it as a security expert,
somebody who attends this conference,
and would have gone, hmm, better call the security guy.
I'd be willing to bet a hundred bucks that your secretary wouldn't.
And that's all I need.
I don't need you to open it.
I don't need to email it to the administrator.
I just need the secretary to do it.
Because there's already, if you watch the bottom here on the console,
a message has been delivered back to the attacker,
which has the name inbreaker.
So unless this user was actually watching the console,
probably just would have thought it was a buggy email.
.
True.
Yeah, what he said was that there is a bottom little display bar here.
And actually, I didn't have time, but you can get rid of this too.
This is possible to get rid of.
.
No, but this is true.
This actually shows, this is kind of like a command shell history almost in Notes.
It shows everything that actually happened.
.
I'm sorry?
.
Yeah.
Secretary still wouldn't know.
I've actually gone across when I used to be administrator.
You can do a broadcast on the console.
Messages will pop up there.
I used to tell people, log off, please log off, please log off.
You've got to back it up.
Finally, I'd have to walk around the office and hit them on the head.
So switch back to the user here, or the attacker.
So I've got an email here from Dutch .
And it says, I have created world access.
I can't even read that.
Basically, what it's done, the stored form had executable control, executable code, which was executed just like in the Bubble Boy virus.
And what it did, it caused that user without him knowing it, him or her knowing it.
To change the access control list on the mail file.
And I'm sorry I forgot to show you that.
Actually, I'd gone off and set that.
Does anyone need me to actually verify that the access control list for anonymous was completely shut off?
I see a nodding head back there.
Okay.
Let me do it again.
I apologize for that.
Okay.
So we're setting default to no access.
And we are setting anonymous to no access.
So we'll go back to the attacker and we'll send it again.
Okay.
Now I'm switching back to the victim.
So just to show you, doubly sure, default still set to no access and anonymous is set to no access.
We open it.
It disappears.
So default is now, if you see that, if you can make it out with the bad projectors, default is now set to manager.
And anonymous is set to a manager.
And I just heard my old heckler friend from last year say, show him the log.
Okay.
So you can see there that at no time did anybody else other than Dutch Slachtoffer change the access control list.
So since that code, come up front because I can't hear you way back there and I don't think anyone else will be able to.
But basically that code was executed by the victim.
Come on.
Don't be stage shy.
You're a good looking dude.
.
The question is just, what rights does the user have to have to their own mailbox or to that particular mailbox if they're opening it to give the manager access?
Because sometimes you might have a situation where a secretary has got read access to their boss's email and you might prefer to send them an email with the excuses code rather than the boss.
Yeah.
That's a really good question.
To change, it's just like if they were to change their own ACL.
They have to have manager access to it.
But it's very easy to create this.
I'm sure it takes no leap of imagination to figure out that you could actually check what rights do you have as the attacker causing the victim to perform this for you.
What rights do I actually have to my own mail file?
So we have actually done some code on this where you can actually have it do lookups in the database.
So if they don't have access rights to their own mail file to change it, it would actually be a problem.
It would automatically forward itself to the next person.
Send it to an admin and update the user by email and then delete the stored format so they don't see the form related to it.
It's possible to simply send it to the admin who will most likely have access, manager access to everybody's mail file and either update the ACL on the name and address book or on a user's mail file.
And if you write the script correctly, rather than deleting the form, which is really obvious.
And we'll tip off an administrator.
You can simply delete out the stored object.
So all they see is a normal form that says, hey, let's have lunch.
And they can't tell that it's a stored form.
One of the other, somebody else actually had a good point as far as like having, sending this directly to the email.
I believe it was you that actually, I may not be right.
Okay.
Somebody at Black Hat just the other day had a real, asked the question.
Can, in notes.
Can you actually.
Forge the header so it looks like it's coming from someone internal.
And if you're using notes, if you're an experienced notes user, you've probably seen spam people do this.
So it looks like it's coming from somebody else.
You can forge your SMTP headers.
And looking at the view, you won't really know the difference unless you're using a heavily modified mail file.
So you could send, and by doing that, you could actually send the email to the administrator, have it appear as a normal user.
And the administrator will trust his users.
To some extent.
And open the email.
So I'm going to switch back to the attacker here.
Because this is also interesting.
I know that there's not a whole lot of people that actually run mail servers and web servers on the same box.
But quite often, web servers will often have mail in databases.
And I know of quite a few companies that actually do run.
They actually have a commercial web server running Domino.
And they have a separate mail server, which is running the HTTP process.
So that people can actually access their email using the web-based mail.
So if we actually pop this open, as the attacker, we actually get a URL back, which points directly to the victim's mail file.
And we can just click on that, pop it open, and go straight into the user's mail file without any authentication or access prompts.
And there we go.
We can now read his email and do anything with it we want over a web browser.
Okay.
Did we not touch stored forms already?
I guess, no, we don't.
Okay, a lot of this stuff with stored forms was actually reported by Oliver Berger.
I think my slides are a little messed up here.
Yeah, one of my slides got out of order.
This was reported by Oliver Berger back in 1996 under Spiegel Magazine.
And I forgot to actually change that.
But there's still very few people who are actually using Access Control List.
And everybody's still using stored forms.
They're allowing the use of stored forms.
What I would rather recommend, and I know administrators are not going to like this.
But if you're accepting internet emails coming into your server and you need the use of stored forms, create two different mail files for the user.
And have one which is sitting there for internet email that uses no stored forms.
I know this is a little bit of a pain in the butt, but this is really about the only way around that I know of.
Turn off the stored forms.
Let internet emails come in there.
Have an agent.
So whenever new emails are deposited, that gets sent to their internal email.
They're automatically forwarded from that point.
Or at least they have some sort of dock link that goes to their internal email that they can then now...
They know they've got an internet email coming in on the other email box.
And that is a kludge, but it'll work and keep you secure from stored form attacks over the internet.
Oh, go back.
Okay, now go ahead, I'm sorry.
So we have the execution control list, which is supposed to prevent a lot of this type of stuff.
One of the things that we started looking at was that another type of an attack was that the notes API calls, the C API calls into notes,
are not in there.
They're not intercepted by the execution control list.
So you can use Visual Basic.
You can actually put an ActiveX control into an HTML file and send it to somebody and ask them to launch it.
And that ActiveX control will make a call into the notes API and bypass the execution control list.
So I'll give you a quick demo on this.
Okay, I'm getting ahead of myself.
I apologize here.
Before I do that, let me just say a couple more things about this.
In the execution control list, you really need to make sure this is got down and tight and that you actually have a corporate enforced, essentially enforced ECL.
Does anyone not have that?
Or does anyone have that?
Let's ask that one.
Yeah.
It's a real pain in the butt.
I know.
A lot of people are just not familiar with the execution control list.
The ECL settings are really stored in an obscure location.
There's not a lot of documentation on it.
It's not real clear until 5.02.
If you're running 5.02 or earlier than 5.02.
You had world access to it.
There's also a couple of ways you can actually use either of these two options to reset an execution control list.
There's a command in the Lotus command language, the refresh ECL, and just leave the options blank.
That will actually force the ECL to be reset.
There's other ways that you can actually add a note.
Something into the notes INI file.
And it's remove ECL set up equals three from the notes INI file.
So you don't actually add it.
You remove that setting.
.
Yeah.
I'll give you a website at the end.
And all this stuff will be available there.
Because it will be available within one week.
.
So.
As I mentioned before, the notes API calls are not intercepted by the ECL.
And since OLE and COM uses notes API, that makes it very fun.
.
Sorry?
.
And rnext?
.
I actually have not investigated that yet.
So I've only started dabbling with rnext.
.
.
I'm sorry.
.
Yes.
.
I'm fixing to give you a demonstration on it here real quick.
So the question he's asking, I'm fixing to answer for him.
.
So we're here as the attacker.
.
And what I'm going to do, let me show you what I actually am going to send him.
.
I'm having a real problem seeing this screen, so.
.
.
Crap, I can't even see the icons.
.
Bear with me, I can't see the icons off to the right of my desktop.
.
Oops.
.
Okay.
I had to move these two over so I could see them.
.
So I've actually got, I'm just going to pop open notepad here.
.
And I'm going to give you an example of an HTML file.
.
And in here we actually have an ActiveX, we have an ActiveX control.
.
Which is using VBScript.
.
Just so you can see it.
.
That's all that's in there.
.
So what we're going to do is the attacker, we're going to attach this to an email.
.
.
.
.
.
.
.
.
.
So this HTML file, which is actually called prettywomen.html.
Yeah, and we know everybody wants their porn, or at least all the men.
Okay, maybe there's a couple of guys here who don't want their porno women.
I don't know. You know what I'm talking about.
It's not getting to semantics here.
So we're going to switch back to the victim here.
And as the victim, now I have a new email.
There's my HTML attachment.
This could really be anything that you would put an active X control in.
And we just launch it.
Now, since we're launching this from the environment,
you would think that the execution control,
so we're launching this from the notes environment,
you have an execution control, before I do this,
which,
does not permit, really, anything.
So again, as I showed you before, everything is turned off here.
And now that...
There's also Java and Java, but we're not using Java or JavaScript.
Here, hold this.
I can't...
Typically, I have a shirt mic, trying to do this with one hand is really difficult.
So, we go ahead and we click to launch it.
So now, something I want to point out here, we do get, actually, an alert.
I'm not trying to hack Internet Explorer.
My purpose is to show you about the note security.
There's plenty of other good material out here,
and I've never tried to incorporate any of that,
just simply as to not confuse people with what I'm trying to actually do.
This is purely about Lotus Notes and Domino.
So, we do, actually, a little prompt here.
It tells us, we're about to get an ActiveX warning.
And when we get that, please click OK.
So, we'll click OK on this, and here's our ActiveX warning,
warning of a potential hostile code.
I believe it was Loft that actually did the latest thing on us.
Is that correct?
Nobody knows?
I'm sorry?
George Kavinsky?
Could be.
I don't actually get into the Office 2000 Internet Explorer hacks as much.
But I know that there's some good material out there on the net that you can find on this.
So, we'll go ahead and click yes.
Now, what we've seen is we get a listing in HTML.
We have this ActiveX control, which has gone off,
and this is now not going to the Domino server.
Don't be confused by that.
We're actually generating an HTML page directly through the Notes client.
And if you look back here in the view, that matches this.
We've got a listing of everything in his inbox.
So, this executed.
We did get the ActiveX warning from Internet Explorer.
As I said, that's not the purpose of this.
We did not get any type of execution control warning from Lotus Notes.
That's the point I'm trying to stress here.
Notes should have actually warned us on this and said,
we're not going to allow this to execute,
or at least given us the option to abort.
Yeah?
I'm sorry?
Can you come up here? I can't hear you.
I don't think anyone else can.
You had that execute with a standalone browser
instead of internally with the Notes client.
Would it make a difference?
Would Notes look at its internal web browser differently?
We could try it.
Yeah?
Thirty-five minutes for the whole session?
Oh, okay.
If you want to see that, because he just informed me,
we already have thirty-five minutes left.
Let's come up after and we'll try it.
I'll just show you here real quick.
Nothing got modified in the ECL.
Everything is still set to no access.
If you have a question, please come up here.
Go take the mic.
If you had detached that HTML file and launched it separately,
would it have done the same thing?
The point is, is we actually launched it
from within the Notes environment.
So you would think that the execution control list
would actually block any calls within the Notes environment.
Notes cannot protect anything coming at it externally.
There's not really too many applications that I know of
that could actually do something like that.
And that's actually even Lotus' statement as far as that goes.
So I've gone back to the attacker here,
and you'll actually see we've got an email back from the victim.
And we did this all with using Notes API calls
from the Visual Basic script.
And we actually have the name of the mail server.
You can't really see this, but on the second line,
or the first one after the big space,
it says mail server and the name of the server,
the direct or the file listing on the mail server
where his mail file is.
We actually now have his HTTP hash.
And I'll get to that in a little bit.
And we have his Notes ID file.
And that's it.
And we're going to make use of both of those,
the hash and the ID file, in a couple of minutes.
And information on his local client,
where is his ID file located on his local client.
So we've sent this all back to us.
And I'm going to have to hurry
because I really want to show you that.
Huh?
Tell him he can get up and get some water, too.
Yeah, if y'all want to get up and get some water
since we're running behind.
If y'all need some water, feel free to get up and get it.
All right.
Now we've got the ID file.
We have his hash.
The victim's hash and his ID file.
And this is where it really starts to get interesting
because the password hashes of Lotus Notes are not salted.
Unix actually went through this 15 years ago.
They figured out they had to use salted hashes.
Windows recently went through this.
Lotus is just now fixing to go through this.
The hashes are static.
In other words, this hash of a password,
the top line here, will always equal password.
I'm sorry, password will always result in that hash.
Secret will always result in this.
And the next one.
So this makes it really easy to create a whole bunch
of known passwords or a dictionary within a database
and build a brute forcer.
.
Yes, but there's still problems with it
because in 503 they had actually implemented an option
to upgrade to a stronger hash mechanism.
And in 503, although that was implemented, it was broken.
So you could actually select in your server profile document
to always create new users using the stronger hashing algorithm.
And in 504, they fixed it because in 503,
it would not do that by default.
In 504, oh, thank you.
.
In 504, they had actually fixed that.
But I just actually realized the other day,
on 506, it wasn't working again.
.
So...
.
.
What you have to do is you actually have to manually go back
and upgrade all your users individually.
And I'll show you how to do that in a minute.
But you have to go back and upgrade to the stronger hash,
which is the salted hash.
So where this gets really interesting is if...
.
.
Alright,.
Minimize this?
We're now logged in as the attacker.
All right?
I'm going to close this so we can see what we're doing,
a bit better.
.
Now as the attacker,
I'm going to pretend like I'm not able to actually switch back and forth.
Because I want to walk you thought this.
.
I'm going to attach the ID file to my desktop, which there it is.
And I'm going to switch the ID file.
Oops, I forgot one thing.
I'm going to copy and paste this hash, if I can even see it.
Okay, I'm going to copy this hash, and I'm going to switch to the next user,
or switch to the ID file I just retrieved.
Okay, now I have this hash pasted in my clipboard.
I've got to switch to find the icon here.
Okay.
All right, I had to move this icon over here.
This is the program OpenSesame, which will be released in a week, a week from today.
Both binaries and source code will be downloadable from notessecurity.com.
What we're going to do is we're going to launch this.
And since those are static hashes, and they're in static places in memory of the client,
although they do change slightly,
between each version,
Sesame knows about where those are actually supposed to be stored at.
So the hash you're seeing there is actually my hash as the attacker,
but I'm going to paste in the hash from the victim now.
And I'd like you, since this is your second time, come up here.
Now, we have, you can't really see it here, but we pasted in the hash in the middle box,
and the bottom box actually says new user password.
So I'd like for this gentleman here to type in whatever password you'd like to be able to use.
Okay.
I can't even see the screen.
I've got to switch back here.
I'll tell you what it is.
Okay, hang on.
I have a problem.
I have a problem.
I have a problem.
Oh, I got a parenthesis in there.
That's why.
Yeah, do it again.
Okay.
Yeah, do it again.
Something's funky, I think I've got a bug, okay, hang on, let's go back, okay, I'm trying
to hurry, hold this.
Okay, here we go.
Here we go.
Meanwhile, why doesn't everybody take this opportunity to get some more water?
Ten minutes before, I did a run-through, and it worked, but for some reason, something's
weird in my environment, it's acting a little hokey.
Since we're running short on time, I'm going to skip this part of the demo, if you want
to see it, come see me afterwards, we'll go sit out there, and I'll show you how to
do it, and I'll show you how it works.
A couple of people actually saw this last year, so you can talk to one of them if you
want to ask somebody if it really works, it does.
But what it would have actually done, we should have been able to paste in the hash, and it
would have appended that hash that we just pasted in to the new location where it is
in memory, and so he would have been able to type in his password, which he was typing
in clueless, and he would have been able to authenticate with the ID file using that.
He then could have actually logged out of notes, and the new user could have gone back
in and typed in his password, and everything would have worked just fine.
So, I apologize, that's not working there.
Okay.
Hello.
Hello.
Okay.
So, we have the ID file validation, which unfortunately don't work for this show, but
it does typically actually work.
One of the things after we did this at DEF CON, Lotus came back and said you had to have
physical access, so they don't consider it a serious threat, but as you saw, we actually
were able to send, get the user to actually send us his user ID.
And his hash, which then, physical access becomes a moot point, so you could actually
do this remotely.
Yeah.
.
Yes, it is.
.
Yes, it has to be the same.
What I want, what I hope to have in the next release of Sesame, is it will actually pull
it from the session in memory.
Okay.
Thank you.
So, I actually have some VB script that will do that for us.
Yeah.
.
.
Yeah, he asked if the server, or I'm sorry, the administrator actually checks his mail
on the server console, where the server's running, if we could actually have it send
the server ID file back to us, that, which doesn't have a password, yes, we could actually
have that done as well.
Yeah, that's what he was just asking. This demo actually did, but I'm working on a new
VB script that will actually yank it directly from the memory of the user. Because it's
a static, each minor release of Domino, or of the notes client, stores the hash in a
static location in memory. So if you know which version it is, then you just go to that
memory location and yank it out. That's actually how what Sesame does, is it knows where that
hash is, and it plugs it in right behind it. And we don't actually overwrite it, so that
way, when he just, the attacker can log back out if he's actually got Sesame on a floppy
disk.
Yes.
And then he just presses the F5 key, walks away, and the original user can come back
in, type in his password, and never know the difference.
Do you have a question?
Yeah.
Does that depend on the HTTP password?
In this demonstration, yeah, the VB script, since we're pulling the HTTP password there,
what he asked was, does it rely, the HTTP password in this, does it rely on the password
or does it rely on not having the salted password? And in this, it does, but even though you
may upgrade to the HTTP password, and the names and address book, to having the salted
password, in the ID file, and on the notes client, it's still unsalted.
Right now, in this demonstration, I was pulling it from the names and address book.
Okay, but you said the next version, you're going to actually pull it from memory.
Oh, there's going to be a new version of the VB script, which I also intend on releasing.
And then that should be able to pull it from memory.
But right now, when you pull it from the nav, it will be unsalted version, and that's
what makes it work.
But if you have your password salted on your nav, then this won't work, right?
Right.
If you try to retrieve it from the name and address book.
But because if you upgrade to the salted, it doesn't change what the client itself is
actually using.
That only affects for the web-based authentication.
Yeah?
I'm sorry.
I know this is part of your business and everything, but when you do the full disclosure,
is it going to cover the script?
I know you said you can put the Sesame out there.
Are you going to have the scripts and the possible corrections for the problems?
Yes.
Are you going to?
Okay.
So all that will be out there?
Yeah.
And that's going to be at the notesecurity.com?
Yeah.
There's also 58 Nessa scripts, which I've written.
Fifty-eight for every single database of the default installation that goes through.
I put them in last year, and you showed it to us last year, and they pretty much called
their notice person and said, oh, well, and gave them all the correct answers to squash
the problem.
But basically, I can't back with a fairy tale.
They downplayed it.
They did that with everybody.
You'll be able to go, hey, guys, look at this.
Fix it.
Please.
All right.
We're not going to take a break since we're running so late.
Okay.
On the access control list, we're going to go ahead and skip straight to the server,
and I'm going to hurry on so we can let you guys out of here.
On the access control list of the server, like I just said, I've got 58 scripts for
Nessus.
Unfortunately, the author of Nessus was at Black Hat, and I've yet to actually run
into him.
I actually had to attend a different session, so I didn't get to see his presentation.
But I've been working with Nessus for about the last year and a half, and I have 58 scripts
just for the server side of notes databases.
Because there's 58 databases by default which are installed on your Domino server.
And if you're running a Domino in a web configuration, you probably haven't gone through and checked
every single database.
And the interface...
ACL Reporter.
ACL Reporter is a good tool.
If you're not familiar with it, I think it's IBM.
I'm not sure who owns it now, but it...
It's just...
You're talking about the notes database that you run.
No, no.
Okay.
ACL Reporter is a third party tool that will run daily on your server and collect
up all of your access control lists.
And you can set it up so that if there's anything that's changed, it flags it.
ACL Reporter is a tool that will run on your notes server.
It will collect up all of your access controls and flag those that have changed and those
that deviate from a rule set, so that if you've got a rule that says default access is always
defaulted to no access and somebody changes it, it flags it for you.
You can go back, see who did it, and correct it.
Unfortunately, I've found most admins will run it and not check the logs.
ACL Reporter.
ACL Reporter, I'm not sure how much it costs.
It is possible to duplicate the functionality and load a script, though.
Yeah, IBM actually has a database tool.
It's actually a database application you can run on your server.
And it will do something very similar.
And the database is all the current ACLs.
Like I said, I've been using Nessus for quite a while.
And this will do the same thing from the web server standpoint.
We didn't have enough problems already.
All right.
These are crucial ones to look at.
A lot of times when we've actually, when I've gone out and looked at somebody's server,
quite often, well, typically the name is in the address book.
If it's actually ever been used as a server.
Staging server.
Staging server.
In other words, they've done a whole lot of development on it.
And they've ramped it up to a production box for development purposes.
A lot of times the admins just gave full access to the name and address book.
Forgot to go back and change it.
You need to make sure at least, at the minimum, check the top two.
Name and address book and catalog.
The reason catalog has its sole purpose is actually to catalog.
Catalog everything on your domino environment.
And that includes documenting the access control list of each database.
I've actually, one of the Nessus scripts I've got will go off and query the catalog database.
Retrieve with just a couple of XML requests.
Not a hundred or anything like that.
Just a couple of requests.
And we'll pull back everything that's under default and no signature.
And since, like the point I made earlier.
Since most administrators have not created a view in their dom log for XML requests.
They filtered out everything else.
They're only pulling back the HTML.
What HTML requests were made.
They'll never actually see what I've just done.
And I now know where all third party and internally developed notes applications reside on their server.
And what the access control lists are.
The server ID.
There's, we have still to this day in the notes documentation.
There's kind of a quandary with this.
Regarding the ID file.
Like the gentleman over here made the comment.
Most servers do not have an ID file.
Do not have a password on their ID file.
That ID file for the server is technically the same as a user ID file.
The only difference is.
Is the information stored in the names and address book.
I can use a server ID.
Load it up in my client.
And access another server.
Not the same server.
But another server.
Within the same environment.
Or the same organization.
And be able to read it just as if, almost if I was a server.
There's of course some exceptions.
If a database actually has the type and the ACL set to only a server.
They'll see I'm accessing it with a client.
And it won't let me open that.
But a lot, since a lot of you guys don't always have that set.
I still, I'll be able to get in and access that database.
The ID file.
Another really good point was the directory traversal.
If the ID file was actually in the data directory.
And I could retrieve it.
From the data directory.
Across the web server.
So you need to make sure you've got passwords on it.
The quandary where I was mentioning.
Was that Lotus actually recommends.
If you want to use the auto restart functionality.
Don't set a password on that server ID file.
So you've got one part of the documentation.
That says put a password on that ID file.
And another part says don't.
So.
Okay.
Here with the.
This is going to get just a.
We'll touch on the web server.
There'll be more information.
Since we're not probably going to get to this.
This is where it actually has to do with creative surfing.
The URL language for the domino server is extremely powerful.
And most applications make use of it.
Where we run into problems is that.
With all that functionality.
You can do things.
You can retrieve information out of badly designed databases.
This includes the names and address book.
Here we have just kind of a synopsis of how the language is actually structured.
I would ask you to consult the developers and the administrators databases.
The help databases for the administrator and the developers.
For more information.
But this is basically how it's constructed.
Using this you can actually come across.
I'll give you a very quick demo.
I need Internet Explorer.
See Internet Explorer at the bottom there.
Okay.
Okay.
Okay.
Okay.
Okay.
Okay.
All right.
And the example I'm fixing to show you to retrieve a list of users.
The way Lotus actually intended you to see this information from a web browser.
All right.
I've actually got the literal view name described.
Appended here after this.
And the URL.
We have the host name.
We have the database name.
And we have the view name.
Which is people.
And what that actually produces for us is what Lotus actually wanted you to see.
And it looks like this.
address.
We have the listing of the users here, so I'll just pick one of these.
As you can see, since we don't actually have ... Actually, I believe we do, but if we did
not have ... No, we don't.
We do not have edit access to this, to the name and address book, so as a result we cannot
see the internet password here.
But, if we actually just change, calling it from the people view to the dollar users view
... I can't really read it, but I think that's it.
No, that's not it.
These screens are just horrible.
I'm sorry.
I'm sorry.
I'm sorry.
I'm sorry.
I'm sorry.
I'm sorry.
I'm sorry.
Okay, here is the dollar users view.
Now we actually ... This is a different view in notes, and if we scroll all the way over
here we'll see that in this view, which we've actually changed in the URL itself, we'll
produce a listing which will actually reveal all the HTTP passwords for us, even though
we do not have sufficient writing.
So there we are.
We have a couple more options.
We go to our
I'm having a real problem with these screens guys.
So there ... You can't really read this, and I apologize.
Again ...
But these are the HTTP hashes here, where we did not have enough access right underneath the viewable view.
Under the hidden view, using the $users view, we can now actually pull all this information up,
and we can retrieve all the HTTP hashes and other information, which was not actually intended.
We see this a lot, and this is what I was talking about with Creative Surfing.
By using the Domino URL language, when you modify this, the URL syntax of this,
you can actually obtain other views, which the developer did not intend you to actually be able to retrieve data from.
So...
So we're going to skip through here.
This is what I was just talking about.
And here you've actually just...
Since we don't have enough time, this is actually one of the NASA scripts, which is running from the command line.
And I'm actually retrieving all the information from the name and address book...
from the catalog database, regarding other databases and what their access control lists are.
And again, that will all be available on notessecurity.com.
So to skip ahead to the conclusions here...
real quick...
There's all sorts of multiple vulnerabilities.
I'm sorry, we've only got six minutes left.
That's why I'm having to hurry through here.
Go ahead.
Just move through about every 15 seconds.
In terms of workstation security, you can get malicious code to execute.
I think we did get that working, where everyone should have been able to see it.
With stored forms, we can reset ECLs, bypass ECLs,
with OLE and API calls.
On the domino server security, using the URL constructs,
you can actually view unintended content.
You can actually even modify that.
You can upload content.
You can modify the names and address book using some of those custom or creative web surfing constructs.
The server ID can be stolen.
Once you've got that, you can get into usually other areas of a notes network.
Again, the server ID is just the same as the user ID.
So make sure you've got passwords on those.
One other thing.
Coaxial Karma has actually got a couple of utilities.
A lot of people seem to be very unaware of this.
The ACLs in the notes database are actually just text fields.
If you're not familiar with that, I would ask you to actually check out either, again,
my website or landofsilence.com.
The utilities you have is called ACL Modify and ACL Enforce.
Using those, you can actually turn on and off consistent enforcement of ACLs,
or you can actually even modify anything you want in the ACL.
They're just little command line shell utilities for modifying databases.
This is really important because if you get physical access,
or direct access to the file system of a domino server,
there's basically no security left.
Does that work with encrypted databases?
Yes.
IDs can be obtained from the web server, the name and address book,
with malicious code and email from workstation and local drive.
We gave you demonstrations on that.
And unfortunately, I'm sorry, we didn't get Open Sesame to work.
I'll be glad to show you after this.
Just come on up and we'll get that running.
Again, most of these vulnerabilities can be dealt with using various workarounds.
All this will be documented on my website.
Don't store the user IDs in the NAB.
This is really important. Don't do that.
Store a user ID file on your removable media
or on an encrypted PGP disk.
Don't store server ID files in the data directory.
This is, I can typically, almost everyone does this
and they name the server ID with the file name server ID.
This makes it very easy for retrieving those.
Keep it out of the data directory.
Put it somewhere else much more obscure.
So it makes it more difficult for people to retrieve that.
Choose different passwords.
As this gentleman pointed out,
choose different passwords for the ID file and the HTTP accounts.
Use the strong password hash from Lotus.
You'll have to manually upgrade that.
Before you do it, I would ask that you check with any third party
or an internally developed applications to make sure it's going to work
if you're using web-based applications
because you may run into the problem that using the stronger hash
may break those applications.
Always exit Lotus Notes whenever you leave your desk.
Don't use the F5 functionality.
Using Sesame, you can get around that.
Enforce ACLs on all databases,
but at the same time make sure your operating system is completely secure.
Do not run it on a file server.
Do not run it on a print server.
Make sure it is completely tightened down.
Now let's go ahead.
We've got to hurry.
Yeah, here again, here's the URLs.
You'll be able to go to fallingdominoes.com.
That will basically take you to notessecurity.com.
Falling Dominoes is the name of this presentation.
But Notes Security, all this information in greater detail
will be available on this website.
Keep checking on Bug Track.
I've got Lotus's security zone up here,
but don't rely on that as your security.
It's your chief security zone
or security website for Lotus Notes vulnerabilities.
They've not done a very good job on that, unfortunately.
Make sure, hire security consultants to come in and review it.
Experienced Domino security consultants
to review your infrastructure.
If you're not doing that, you're taking risks you shouldn't be taking.
And again, here's the URLs for landofsilence.com,
Counterpane, Falling Dominoes,
security.com,
where you'll be able to find more information later this week.
And that's it.
Are there any other questions?
Yeah?
.
Yes, if the target is an NT server?
Yes, it will.
.
Yes.
Yeah?
.
.
How many have I actually done, been hired to do?
.
We did some statistics and probably 80% of the Domino servers
that are out there, which are running as web servers,
are completely open.
I've been contracted by no more than 10 in the last year,
which is really sad.
Anyone else?
Okay, you guys are free to go.
.
.
.
.
.
.
.
.
.
.
.
